Cyber-Landscape II: Schutz kritischer Infrastruktur

Zahlreiche Staaten haben in den letzten Jahren Rechtsakte zum Schutz Kritischer Infrastrukturen (KRITIS) erlassen. Diese interaktive Karte visualisiert den aktuellen Stand an Regulierungen in ausgewählten Staaten. Um weiterführende Informationen zu erhalten bewegen Sie bitte den Cursor über ein Land und klicken es anschließend an.

European Union

Communication from the Commission on a European Programme for Critical Infrastructure Protection

Communication on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection

EU Critical Infrastructure Directive

The Directive defines critical Infrastructure as: ‘critical infrastructure’ means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions’

As well as the selection criteria:

  • (a) casualties criterion (assessed in terms of the potential number of fatalities or injuries);
  • (b) economic effects criterion (assessed in terms of the significance of economic loss and/or degradation of products or services; including potential environmental effects);
  • (c) public effects criterion (assessed in terms of the impact on public confidence, physical suffering and disruption of daily life; including the loss of essential services).

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (short: NIS Directive)

The NIS Directive (Directive (EU) 2016/1148) details the following risk management and incident reporting obligations for operators of essential services and digital service providers

What are operators of essential services, and what will they be required to do?

  • Operators of essential services are private businesses or public entities with an important role for the society and economy.

Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

The security measures include:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

How will Member States identify operators of essential services?

Each Member State will identify the entities who have to take appropriate security measures and to notify significant incidents by applying these criteria:

(1) The entity provides a service which is essential for the maintenance of critical societal/economic activities;

(2) The provision of that service depends on network and information systems; and

(3) A security incident would have significant disruptive effects on the provision of the essential service.

Which sectors does the Directive cover?

The Directive will cover such operators in the following sectors:

  • Energy: electricity, oil and gas
  • Transport: air, rail, water and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

What kind of incidents will be notifiable by the operators of essential services?

The Directive does not define threshold of what is an significant incident requiring notification to the relevant national authority. It defines 3 parameters which should be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread

These parameters may be further clarified by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group.

What are digital service providers (DSPs), and what will they be required to do?

  • Important digital businesses, referred to in the Directive as "digital service providers" (DSPs), will also be required to take appropriate security measures and to notify substantial incidents to the competent authority.

Security measures cover the following:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

The security measures taken by DSPs should also take into account some specific factors, to be further specified in a Commission implementing act:

  • security of systems and facilities
  • incident handling
  • business continuity management
  • monitoring, auditing and testing
  • compliance with international standards

What kind of incidents will be notifiable by the DSPs?

The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. It defines 5 parameters which should be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread
  • The extent of the disruption of the service
  • The impact on economic and societal activities

These parameters will be further specified by the Commission by means of implementing acts.

Source: European Commission – Fact Sheet: Directive on Security of Network and Information Systems, Brussels, 6 July 2016

eIDAS Regulation

The new regulation for electronic identification and trust services (Regulation (EU) No 910/2014, referred to as eIDAS Regulation), contains Article 19 which requires, among others, that providers of trust services 1) assess risks, 2) take appropriate security measures to mitigate the risks, and 3) notify the supervisory body about significant incidents/breaches.

USA

NIST Framework for Improving Critical Infrastructure Cybersecurity

Affected entities: Agriculture and food, Water, Public Health, Emergency Service, Government, Defense Industrial Base, Information and Telecommunications; Energy, Transportation and Shipping, Banking and Finance, Chemical Industry and Hazardous Materials, Post, National Monuments, critical manufacturing

The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. (…)

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory. (NIST Framework for Improving Critical Infrastructure Cybersecurity(Draft Version 1.1. from 10 January 2017)

National Infrastructure Protection Plan (NIPP)

Affected entities: Chemical, Commercial facilities, communications, critical manufacturing, dams, Defense industrial base, emergency service, energy, financial services, food and agriculture, government facilities, healthcare and public health, Information technology, nuclear reactors, materials and waste, water and wastewater systems

Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems, and networks that underpin American society. To achieve this security and resilience, critical infrastructure partners must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (hereafter referred to as the National Plan), guides the national effort to manage risk to the Nation’s critical infrastructure.

The community involved in managing risks to critical infrastructure is wide-ranging, composed of partnerships among owners and operators; Federal, State, local, tribal, and territorial governments; regional entities; non-profit organizations; and academia. Managing the risks from significant threat and hazards to physical and cyber critical infrastructure requires an integrated approach across this diverse community to:

  • Identify, deter, detect, disrupt, and prepare for threats and hazards to the Nation’s critical infrastructure;
  • Reduce vulnerabilities of critical assets, systems, and networks; and
  • Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur.

The success of this integrated approach depends on leveraging the full spectrum of capabilities, expertise, and experience across the critical infrastructure community and associated stakeholders. This requires efficient sharing of actionable and relevant information among partners to build situational awareness and enable effective risk-informed decision making.

(NIPP Executive Summary)

Presidential Policy Directive (PPD-21)

PPD-21 identifies 16 critical infrastructure sectors and corresponding responsible authorities:

  • Chemical Sector – The Department of Homeland Security
  • Commercial Facilities – The Department of Homeland Security
  • Communications Sector – The Department of Homeland Security
  • Critical Manufacturing Sectors – The Department of Homeland Security
  • Dams Sector – The Department of Homeland Security
  • Defense Industrial Base Sector – The U.S. Department of Defense
  • Emergency Services Sector – The Department of Homeland Security
  • Energy Sector – The Department of Energy
  • Financial Services Sector – The Department of the Treasury
  • Food and Agriculture Sector – The Department of Agriculture and the Department of Health and Human Services
  • Government Facilities Sector – The Department of Homeland Security
  • Healthcare ad Public Health Sector – The Department of Health and Human Services
  • Information Technology Sector – The Department of Homeland Security
  • Nuclear Reactors, Materials, and Waste Sector – The Department of Homeland Security
  • Transportation Systems Sector – The Department of Homeland Security
  • Water and Wastewater Systems Sector – The Environmental Protection Agency

USA Patriot Act

The USA Patriot Act defines under Section 1016: as systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Executive Order 13636 mproving Critical Infrastructure Cybersecurity

The Executive Order 13636 order contains following points:

  • Develop a technology-neutral voluntary cybersecurity framework
  • Promote and incentivize the adoption of cybersecurity practices
  • •Increase the volume, timeliness and quality of cyber threat information sharing
  • Incorporate strong privacy and civil liberties protections into every initiative to secure our critical-infrastructure
  • Explore the use of existing regulation to promote cyber security

(Homeland Security)

Presidential Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (2017)

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, ordered various designated agencies to report to the President on a number of issues relating to critical infrastructure cybersecurity to support these entities’ risk management efforts. The reports mandated by the Order include reports on

  • whether Federal policies and practices are sufficient to promote market transparency of cybersecurity risk management practices by critical infrastructure entities, particularly publicly traded entities;
  • the potential scope and duration of a prolonged power outage associated with a significant cyber incident, the country’s readiness to manage the consequences of such an incident, and any gaps or shortcomings in assets or capabilities;
  • cybersecurity risks facing the defence industrial base, including its supply chain, and US military platforms, systems, networks and capabilities, as well as recommendations for mitigating those risks. The Order also required designated agencies to identify authorities and capabilities to support critical infrastructure entities at greatest risk (as identified under a process established by Executive Order 13636), and solicit input from those entities as to whether and how these authorities and capabilities might be employed to support their cyber risk management efforts.

(The White House)

France

Military Programming Law

Article 22 of the 2013 Military Programming Law now requires critical operators to reinforce the security of their information systems. These requirements apply to critical information systems identified by operators and involve reporting incidents, implementing a core set of security rules and making use of qualified detection service providers and products.

The National Cybersecurity Agency (ANSSI) is in charge of implementing these provisions within the Secrétariat general de la defense et de la sécurité nationale (SGDSN) and has worked closely with the ministries and operators to define rules that are at once effective, appropriate and sustainable for operators.

(Secrétariat Général de la Défense et de la Sécurité Nationale, SGDSN)

NIS Directive

national implementation of EU diretcive: NIS Adaption LOI n° 2018-133 du 26 février 2018 portantdiverses dispositions d'adaptation au droit de l'Unioneuropéennedans le domaine de la sécurité

United Kingdom

Centre for the Protection of National Infrastructure CPNI

There are 13 critical infrastructure sectors: Chemicals, Civil Nuclear Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Several sectors have defined ‘sub-sectors’; Emergency Services for example can be split into Police, Ambulance, Fire Services and Coast Guard (Centre for the Protection of National Infrastructure CPNI).

China

Cybersecurity Law (2017)

The Cyber Security Law defines in Section 2 Operations Security for Critical Infrastructure. Article 31 in this section defines critical infrastructures as follows: industry related operators, such as a public communications and information service, energy, transport, water conservancy, finance, public service, e-government affairs etc. or, other important industries and fields, breaching their information infrastructure would result in serious damage to national security, national economy and people’s livelihood and public interests.

Articles 34-39 define provisions regarding critical infrastructure. Security operation obligations include: Security management, assignment of the responsibility for security management, periodic cyber security education, disaster backup process for important system and data, contingency plans and periodically carried out drills. Self assessment conducted by national cyberspace administrator authority in concert with relevant departments under the State Council shall focus on:

  • The need for data departure
  • The information of involved personal information
  • The security protection measures, capabilities and levels of the data receiver, and the network security environment in their country and region
  • The risks of data departure and re-transfer
  • The risks that may be brought to the national security, social public interests and personal legitimate interests
  • Other important matters that need to be assessed

The Network operator should report to the industry executives or supervisory departments to organize the safety assessment if one of the following cases occur:

  • contains personal information of more than 500,000 people
  • The amount of data is more than 100 GB
  • Contains data of nuclear facilities, chemical biology, national defense industry, population health and other fields, as well as large-scale engineering activities, marine environment and sensitive geographic information data
  • The network security information including system vulnerabilities and security protection for Critical information infrastructure
  • Personal information and important data is provided to abroad by critical information infrastructure operators
  • Others that may affect the national security and social public interests, industry executives or supervisory departments think that it should be assessed.

Draft Regulations on Cyber Security Multi-level Protection Scheme

The Cybersecurity Law requires the Chinese Government to introduce a multi-level protection scheme. For this purpose the Regulations on Cyber Security Multi-level Protection Scheme was drafted. The Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators are required to comply with different levels of protections according to the level of risk involved with their networks.

The classification levels range from one to five, one being the least and five being the most critical. Information systems that are classified at level 3 or above are subject to enhanced security requirements.

(Draft Regulations on Cyber Security Multi-level Protection Scheme (In Chinese only) (2018))

Draft Regulation for the Protection of the Critical Information Infrastructure (2017)

The draft regulation (In Chinese only) is formulated in context with the Chinese Cyber Security Law. It addresses not only the security protection of Critical Information Infrastructures but also the planning, establishment, operation, maintenance and use of CIIs.

The draft regulation defines the following sectors as critical infrastructures:

  • government department, or an entity in the sector of energy, finance, transportation, water conservancy, health and medical services, education, social insurance, environmental protection, or public affairs
  • information network including telecom network, broadcast network, and internet; provision of cloud computing, big data and other large-scale public information network service
  • scientific research or manufacturing entity in the industry of science and technology for national defence, large equipment, chemicals, and food and medicine
  • press units such as broadcasting station, TV station and news agency
  • other important entities.

Switzerland

Nationale Strategie zum Schutz kritischer Infrastrukturen 2018-2022

The following industries and sectors form part of critical infrastructures: Government, Energy, Disposal, Finance, Health, Industry, Information and Communication, Food, Public Safety, Transport

The strategy defines the Critical Infrastructures and their subcategories. The operationalization of the objectives their is a 5 step plan in place, including following steps:

  1. Analysis
  2. Assessment
  3. Definition of measures
  4. Implementation of the measures
  5. Review

Brazil

Guia de Referencia para a Seguranca das Infraestructuras Criticas da Informacao

The guide (Guia de Referencia para a Seguranca das Infraestructuras Criticas da Informacao, 2010, in Portuguese only) is divided into four chapters:

Chapter 1 describes Processes to map information assets in order to determine whether an environment is secure or not in terms of information and communications, considering criteria like availability, integrity, confidentiality and authenticity. Cyber incidents are considered in this chapter in order to identify the impacts arising from the interruption of services from critical information infrastructures, and to implement measures to maintain the continuity of services.

Chapter 2 describes the processes and tools to map and monitor information assets.

Chapter 3 points at different models and management tools in order to secure Critical Infrastructures, strengthens their resilience and building capacities.

Chapter 4 describes methods to identify and monitor threats to Critical Infrastructures.

Portaria N°34, de 3rd August 2009

The Ordinance (Portaria Nº 34, de 5 de agosto de 2009. Conselho de Defesa Nacional, Secretaria Executiva, in Portuguese only) establishes the Comitê Gestor de Seguranca da Informacao. It defines Critical Infrastructures as information assets that directly affect the power to act and the continuity of the State as well as the security of society. It establishes a working group as well, giving it the task to identify the threats to CI, to implement a system against threats and to establish a reporting threat detecting and reporting model.

Russian Federation

Federal Law NO 187 FZ on the security of critical information infratsructure

The Federal Law (Federal Law No 187 FZ on the security of critical information infrastructure, 2017, in Russian only) sets out the basic foundations and principles for ensuring security of Russia’s critical information infrastructure, including the foundations for the functioning of the state system for detecting, preventing and liquidating the consequences of cyberattacks against Russian Federation information resources. This is a unified system, distributed across the country and endowed with the capability and resources needed to detect, prevent and liquidate the consequences of cyberattacks and respond to cyber incidents.

The Federal Law sets out the mechanism for preventing cyber incidents at important components of critical information infrastructure, which will considerably reduce the negative impact for the country in the event of cyberattacks against Russia.

The Federal Law defines the powers of state bodies for ensuring the security of critical information infrastructure and the rights and obligations of the various actors in this area.

(President of Russia, Kremlin)

India

National Cyber Security Policy

Creating mechanisms for security threat early warning, vulnerability management and response to security threats

1) To create National level systems, processes, structures and mechanisms to generate necessary situational scenario of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.

2) To operate a 24x7 National Level Computer Emergency Response Team (CERT-In) to function as a Nodal Agency for coordination of all efforts for cyber security emergency response and crisis management. CERT-In will function as an umbrella organization in enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions in dealing with cyber crisis situations.

3) To operationalise 24x7 sectoral CERTs for all coordination and communication actions within the respective sectors for effective incidence response & resolution and cyber crisis management.

4) To implement Cyber Crisis Management Plan for dealing with cyber related incidents impacting critical national processes or endangering public safety and security of the Nation, by way of well coordinated, multi disciplinary approach at the National, Sectoral as well as entity levels.

5) To conduct and facilitate regular cyber security drills & exercises at National, sectoral and entity levels to enable assessment of the security posture and level of emergency preparedness in resisting and dealing with cyber security incidents.

(National Cyber Security Policy (2013)

National Critical Information Infrastructure Protection Center

Duties of the National Critical Information Infrastructure Protection Center (NCIIPC):

  • National nodal agency for all measures to protect nation's critical information infrastructure.
  • Protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats.
  • Identification of all critical information infrastructure elements for approval by the appropriate Government for notifying the same.
  • Provide strategic leadership and coherence across Government to respond to cyber security threats against the identified critical information infrastructure.
  • Coordinate, share, monitor, collect, analyze and forecast, national level threat to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts. The basic responsibility for protecting CII system shall lie with the agency running that CII.
  • Assisting in the development of appropriate plans, adoption of standards, sharing of best practices and refinement of procurement processes in respect of protection of Critical Information Infrastructure.
  • Evolving protection strategies, policies, vulnerability assessment and auditing methodologies and plans for their dissemination and implementation for protection of Critical Information Infrastructure.
  • Undertaking research and development and allied activities, providing funding (including grants-in-aid) for creating, collaborating and development of innovative future technology for developing and enabling the growth of skills, working closely with wider public sector industries, academia et al and with international partners for protection of Critical Information Infrastructure.
  • Developing or organising training and awareness programs as also nurturing and development of audit and certification agencies for protection of Critical Information Infrastructure.
  • Developing and executing national and international cooperation strategies for protection of Critical Information Infrastructure.
  • Issuing guidelines, advisories and vulnerability or audit notes etc. relating to protection of critical information infrastructure and practices, procedures, prevention and response in consultation with the stake holders, in close coordination with Indian Computer Emergency Response Team and other organisations working in the field or related fields.
  • Exchanging cyber incidents and other information relating to attacks and vulnerabilities with Indian Computer Emergency Response Team and other concerned organisations in the field.
  • In the event of any threat to critical information infrastructure the National Critical Information Infrastructure Protection Centre may call for information and give directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.

Information Technology Act

Section 70 of the Information Technology Act, 2000 (amended 2008) states that the Government may declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. And defines the Critical Information Infrastructure: means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.

Further it states:

  • The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1).
  • Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

Guidelines for the Protection of Critical Infrastructure

The Government of India has notified the ‘National Critical Information Infrastructure Protection Centre’ (NCIIPC) as the nodal agency. NCIIPC is driven by its mission to take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction, through coherent coordination, synergy and raising information security awareness among all stakeholders

with a vision to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors in the country.

The National Security Advisor had in July 2013 released a document listing forty controls and corresponding guiding principles for the protection of CIIs. In view of the dynamic nature of cyberspace and to ensure the continued relevance of these controls, NCIIPC is continuously reassessing these based on ongoing experience as well as feedback from NCII constituents, these controls have been grouped into five sets (or families):

  • Planning Controls
  • Implementation Controls
  • Operational Controls
  • Disaster Recovery/ Business Continuity Planning (BCP) Controls
  • Reporting and Accountability Controls

In circumstances where a particular control may not provide the best fit, the concerned organization needs to consider compensatory controls which could also be procedural, so as to ensure that the attack surface presented by the organization’s Information

Infrastructure is minimized.

(Executive Summary Guidelines for the Protection of National Critical Infrastructure, 2015)

Canada

Action Plan for Critical Infrastructure

The Action Plan is a blueprint to implement Canada’s National Strategy for Critical Infrastructure (the National Strategy). Approved by Federal/Provincial/Territorial Ministers responsible for Emergency Management in 2010, the National Strategy defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.

National Strategy for Critical Infrastructure

The goal of the National Strategy for Critical Infrastructure is to build a safer, more secure and more resilient Canada. To this end, the National Strategy advances more coherent and complementary actions among federal, provincial and territorial initiatives and among the ten critical infrastructure sectors listed below:

  • Energy and utilities
  • Finance
  • Food
  • Transportation
  • Government
  • Information and communication technology
  • Health
  • Water
  • Safety
  • Manufacturing

The fundamental concepts and principles outlined in this National Strategy flow from the Emergency Management Framework for Canada, which sets out a collaborative approach for federal, provincial and territorial emergency management initiatives. Consistent with this Framework, and recognizing the interconnected nature of critical infrastructure, the National Strategy fosters the development of partnerships among federal, provincial and territorial governments and critical infrastructure sectors, advances an all-hazards risk management approach, and sets out measures to improve information sharing and protection.

Singapore

Cybersecurity Act

The Cybersecurity Act (2018) covers with its part 3 Critical Information Infrastructures, which are defined as: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.

Its objective is to strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to proactively protect the CII from cyber-attacks (Cybersecurity Audits, Assessments and Obligation to report Cyber Incidents). It provides the commissioner with the power to write directions.

Computer Misuse Act

The Computer Misuse Act dedicates its Section 9 to offences involving protected computers:

Section 9. Enhanced punishment for offences involving protected computers

(1)  Where access to any protected computer is obtained in the course of the commission of an offence under section 3, 5, 6 or 7, the person convicted of such an offence shall, in lieu of the punishment prescribed in those sections, be liable to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 20 years or to both.

(2)  For the purposes of subsection (1), a computer shall be treated as a “protected computer” if the person committing the offence knew, or ought reasonably to have known, that the computer or program or data is used directly in connection with or necessary for —

(a) the security, defence or international relations of Singapore;

(b) the existence or identity of a confidential source of information relating to the enforcement of a criminal law;

(c) the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure; or

(d) the protection of public safety including systems related to essential emergency services such as police, civil defence and medical services.

(3)For the purposes of any prosecution under this section, it shall be presumed, until the contrary is proved, that the accused has the requisite knowledge referred to in subsection (2) if there is, in respect of the computer, program or data, an electronic or other warning exhibited to the accused stating that unauthorised access to that computer, program or data attracts an enhanced penalty under this section.

 

South Africa

Critical Infrastructure Protection Bill

Explanatory summary: The Bill provides for guidelines and factors to be taken into account to ensure transparent identification and declaration of critical infrastructure. The Bill makes provision that costs of installing security measures of a critical infrastructure should be borne by the owner of the critical infrastructure. The Bill further provides for terms and conditions regarding access to the Critical Infrastructures.

The Bill also creates offences and penalties and they are categorized in order of severity and discretion of the courts is provided for. According to the provisions of the Bill, it is an offence should a person take or records, or causes to take or record, video or film of a critical infrastructure with the intent to use or distribute such image, video or film for an unlawful purpose. The Bill finally provides for transitional arrangements. Within a period of 60 months after coming into operation of the Act, the National Commissioner of the South African Police Service must compile a report regarding the suitability of each Key Point to be declared Critical Infrastructure. (Government Gazette, 15 September 2017)

The Minister has the power to declare critical infrastructure under Section 16 of the Bill on application. When  considering an application the Minister must consider

Section 16 (2) (a) whether the loss, damage, unlawful disruption or immobilization of such infrastructure may severely prejudice—

(i) the functioning or stability of the economy of the Republic;

(ii) the public interest with regard to safety and the maintenance of law and

order;

(iii) the provision of basic public services; or

(iv) national security;

(b) factors set out in section 17;

(c) any prescribed guidelines for the identification and declaration of infrastructure

as critical infrastructure; and

(d) recommendations of the Critical Infrastructure Council.

Section 17 of the Bill specifies on the factors to be taken into account in declaration of critical infrastructure.

Section 18 and 19 of the Bill specify on the requirements for declaration as critical infrastructure by person in control and National Commissioner respectively.

Section 26 describes offences against CI and de corresponding penalties.

(Critical Infrastructure Protection Bill, 2017)

Cybercrimes and Cybersecurity Bill

Section 57 and 58 of Chapter 11 of the Cybercrimes and Cybersecurity Bill are dedicated to the Critical Information Infrastructure Protection. Section 58 describing the obligation to conduct an audit every 24 month and all relevant provisions therefor. (Cybercrimes and Cybersecurity Bill)

Electronic Communications and Transactions Act 25 of 2002

The Chapter IX of the Electronic Communications and Transactions Act defines that the Minister may identify critical data and critical data bases (Section 53).

Section 55 describes the management of critical databases.

Following Section 54 of the Act database registers are subject to restrictions on disclosure of information.

Section 57 describes the right to audit by an cyber inspector or an independent auditor.

If the Director-General fails to comply with the provisions and if he fails to integrate remedial action – he is guilty of an offence (Section 58).

(Electronic Communications and Transactions Act 25 of 2002)

United Arab Emirates

No specific regulation on critical infratsructure has been introcuded so far.

Israel

Security in Public Bodies Act, 1998

The Security in Public Bodies Act (1998, in Hebrew only) lists entities that are considered Critical Infrastructures. It regulates the security requirements for physical, digital and information systems of critical infrastructures. So Critical Infrastructure providers have to appoint a security officer.

Turkey

National Cyber Security Strategy

The  2016-2019 National Cyber Security Strategy defines critical infrastructures as infrastructures that contain information systems, which may cause loss of life, large scale economic loss, national security gaps or disturbance of public order when the confidentiality, integrity or availability of the data they contain is compromised. And the following sectors as critical infrastructures: Electronic communication, energy, water management, critical public services, transportation and banking and finance.

One of the main objectives is to strengthen the resilience of critical infrastructures and therefor provides all necessary measures when it comes to technology, organization and measures.

Mexico

no regulation on ritical infrastructure in place

Australia

Security of Critical Infrastructure Act 2018

The three key elements of the The Security of Critical Infrastructure Act 2018 are: 

  • a Register of Critical Infrastructure Assets – the register will build a clearer picture of critical infrastructure ownership and control in high-risk sectors, and support more proactive management of the risks these assets face.  Owners and operators of relevant critical infrastructure assets will have six months from 11 July 2018 to register ownership and operational information on the register
  • an information gathering power – the Secretary of the Department of Home affairs will have the power to obtain more detailed information from owners and operators of assets in certain circumstances to support the work of the Centre
  • a Ministerial directions power – the Minister for Home Affairs will have the ability to direct an owner or operator of critical infrastructure to do, or not do, a specified thing to mitigate against a national security risk where all other mechanisms to mitigate the risk have been exhausted. (Australian Government - Department of Home Affairs)

Coverage of the Security of Critical Infrastructure Act 2018

The Australian Government defines Critical Infrastructure as:

‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security’.

For the purpose of the Act, Critical Infrastructure refers to:

  • critical electricity assets
  • critical gas assets
  • critical ports
  • critical water assets
  • assets declared under clause 51 to be critical infrastructure assets, or
  • assets prescribed by the rules of the Act

Further specifications can be found in the "Coverage of the Security of Critical Infrastructure Act 2018" fact sheet provided by the Australian Government, Department of Home Affairs

(Coverage of the Security of Critical Infrastructure Act 2018)

Egypt

Premier Decree on Cybersecurity

Prime Minister Sherif Ismail issued a decree on cybersecurity (Premier Decree on Cybersecurity, 2017, in Arabic only) that was published in the Egyptian Official Gazette, Issue No. 17 BIS (b), on May 2. Article One of the Decree stipulates that all government bodies— at all levels, and public sector companies are to commit to implementing the decisions and recommendations of the Egyptian Supreme Cybersecurity Council (ESCC), with respect to securing their critical ICT infrastructure, while taking all technical and administrative measures necessary to confront cyber threats and attacks, and implementing the national cybersecurity strategy.

Article Two of the Decree states that the Minister of Communications and Information Technology shall establish and define rules and procedures necessary to secure the critical information infrastructure of the State’s sectors, as well as monitoring the implementation of ESCC decisions and recommendations, and executing  this Decree’s provisions.

Former Prime Minister Ibrahim Mahlab issued, on 16 December 2014, a decree for establishing the Egyptian Supreme Cybersecurity Council (ESCC). The ESCC reports directly to the Council of Ministers; its mission is to develop a strategy that counters cyber threats and oversees its implementation.

(Ministry of Communications and Information Technology)

Philippines

National Cybersecurity Plan 2022

One of the Key Program Areas in the National Cybersecurity Plan 2022 is the Protection of  Critical Information Infrastructure (CII). The plan names telecommunications, water resource agencies, or power generators and plants as examples of CII.

To protect CII there should be

  • Cybersecurity Assessment and Compliance
  • Program for National Cyber Drills and Exercises
  • National Database for Monitoring and Reporting

in place.

Italy

Decreto Legislativo 18 maggio 2018, n.65

Decretolegislativo18 maggio 2018, n. 65: Attuazione della direttiva (UE) 2016/1148 del Parlamento europeo e del Consiglio, del 6 luglio 2016, recante misure per un livello comune elevato di sicurezza delle reti e dei sistemi informativi nell'Unione (Enforcement of the NIS directive.)

In Italy, the following industries and sectors are defined as critical infrastructures:

  • Energy transmission and distribution networks (electricity, gas, etc.),
  • TLC networks,
  • transport systems (goods and passengers),
  • emergency services,
  • defense infrastructures,
  • banking and financial circuits,
  • national health care services,
  • water transport,
  • distribution and treatment systems,
  • media and public information networks,
  • farming and food processing industries,
  • government networks

Korea

Act on the Protection of Information and Communications Infrastructure

Content of the Act on the Protection of Information and Communications Infrastructure:

  • Formation of the Committee for Protection of Information and Communications Infrastructure, which shall coordinate protection policies about critical information and communications infrastructure
  • Protection from electronic intrusions and establish and implement plans for protection critical information and communications infrastructure
  • Analyze and evaluate vulnerabilities of infrastructure to establish protective measures and inform the Korea Internet & Security Agency (KISA) so that necessary measures can be taken to prevent the spread of such incident
  • Support information sharing
  • Punishment to illegal acts against information infrastructure

Germany

Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz, BSIG)

Section 8 of the BSIG defines measures for the protection of critical infrastructures and digital service providers and corresponding duties:

Non-compliance with section 8 may lead to fines up to 100,000 €.

Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI Kritis-Verordnung – BSI-KritisV)

The BSI Kritis-Verordnung defines critical infrastructure providers after section 10 of the BSIG

  • Energy
  • IT and Telecomm
  • Transport and Traffic
  • Health
  • Water
  • Nutrition
  • Finance and Insurance

There are further more detailed specifications in the appendix of the BSI-KritisV.

Operators of critical infrastructures are obliged to provide organizational and technical precautions to prevent disruption of availability, integrity, authenticity and confidentiality of their information tech system.

IT-Sicherheitsgesetz 2015 (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme; Version 2.0 is currently in legislative process)

The IT Security Law amends the BSIG and focuses on the protection of critical infrastructures. It amends the Telemediengesetz and the Telekommunikationsgesetz e.a. as well. Therefore, the providers of critical Infrastructure are subject to higher security standards and defined security measures and are obliged to report any cyber incident to the BSI.

Gesetz zur Umsetzung der NIS-Directive

The GesetzzurUmsetzung der NIS-Directive amends the BSIG according the European Directive.